✘"\x07ntske/1"

Gary E. Miller gem at rellim.com
Wed Jul 24 19:29:14 UTC 2019


Yo Hal/Daniel!

Does this look to you two like the fix to the Hackathon issues?

On Wed, 24 Jul 2019 21:19:59 +0200
Achim Gratz via devel <devel at ntpsec.org> wrote:

> Achim Gratz via devel writes:
> > The disagreement probably was about how the server code compares the
> > strings.  The API description is pretty clear on that the "in"
> > parameter is just the char array of "inlen" characters (the counted
> > string is already split), so indeed the code (which Hal changed
> > from what Christer had originally committed seems wrong.  
> 
> I misread that description, out/outlen is a single protocol and
> in/ionlen is a protos list.  :-P 
> 
> Anyway, this or something very close to it should implement the
> required matching algorithm:
> 
> --8<---------------cut here---------------start------------->8---
> Subject: [PATCH] ntpd/nts_server.c: ALPN protocol matching
> 
> ---
>  ntpd/nts_server.c | 34 +++++++++++++++++-----------------
>  1 file changed, 17 insertions(+), 17 deletions(-)
> 
> diff --git a/ntpd/nts_server.c b/ntpd/nts_server.c
> index 20ea8a02b..00570771c 100644
> --- a/ntpd/nts_server.c
> +++ b/ntpd/nts_server.c
> @@ -56,29 +56,29 @@ static int alpn_select_cb(SSL *ssl,
>  			  void *arg)
>  {
>    static const unsigned char alpn[] = { 7, 'n', 't', 's', 'k', 'e',
> '/', '1' };
> -  unsigned i, len;
> +  unsigned i, j, initemlen, alpnitemlen;
>  
>    UNUSED_ARG(ssl);
>    UNUSED_ARG(arg);
>  
> -  for (i = 0; i < inlen; i += len) {
> -    len = in[i]+1;  /* includes length byte */
> -#if 0
> -    char foo[256];
> -    strlcpy(foo, (const char*)in+i+1, len);
> -    msyslog(LOG_DEBUG, "DEBUG: alpn_select_cb:  %u, %u, %s",
> inlen-i, len, foo); -#endif
> -    if (len > inlen-i)
> -      /* bogus arg: length overlaps end of in buffer */
> -      return SSL_TLSEXT_ERR_ALERT_FATAL;
> -    if (len == sizeof(alpn) && !memcmp(in+i, alpn, len)) {
> -      *out = in+i;
> -      *outlen = len;
> -      return SSL_TLSEXT_ERR_OK;
> +  /* iterate over input protos list */
> +  for (i = 0; i < inlen; i += initemlen) {
> +    initemlen   = in[i++];   /* consume length byte */
> +    /* iterate over server protos list */
> +    for (j = 0; j < sizeof(alpn); j += alpnitemlen) {
> +      alpnitemlen = alpn[j++]; /* consume length byte */
> +      if (initemlen == alpnitemlen
> +	  && !memcmp(in+i, alpn+j, initemlen)) {
> +	*out = in+i;
> +	*outlen = initemlen;
> +	return SSL_TLSEXT_ERR_OK;
> +      }
> +      /* check next entry in alpn */
>      }
> +    /* check next entry in in */
>    }
> -
> -  return SSL_TLSEXT_ERR_NOACK;
> +  /* input and server protos list have no common entry */
> +  return SSL_TLSEXT_ERR_ALERT_FATAL;
>  }
>  #endif
>  




RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190724/3bafd987/attachment.bin>


More information about the devel mailing list